weather-report-skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This weather-formatting skill appears benign; it fetches public weather data from wttr.in and formats it, with no credentials, persistence, or file changes shown.
This skill is reasonable for formatting weather reports. Before installing, note that it expects local command-line tools and sends a request to wttr.in, currently for Tianjin; adjust the endpoint/location if you need a different city or provider.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A weather request may contact wttr.in and reveal the request source IP and requested location to that service.
This tells the agent to invoke curl and retrieve data from the external wttr.in weather service. That is expected for a weather-report skill, but it is still a network/tool action users should be aware of.
使用 `curl -s "wttr.in/Tianjin?format=j1"` 获取天气数据
Use only if you are comfortable with wttr.in being queried; prefer an explicit HTTPS URL and confirm or adjust the hardcoded Tianjin location if needed.
The skill may fail or behave differently on systems without these tools, even though no runtime requirements are listed.
The reference instructions rely on date, curl, and python3 even though the registry requirements declare no required binaries. These are common and purpose-aligned tools, but the dependency disclosure is incomplete.
获取当前时间:`date '+%Y-%m-%d %H:%M'` ... `curl -s "wttr.in/Tianjin?format=j1" | python3 -c "`
Declare curl, date, and python3 as expected runtime tools, or provide a no-shell alternative for fetching and parsing weather data.